MicrosoftDuncan_Clay - thank you SO much for that information about the group policy (Allow security intelligence updates from Microsoft Update = Disabled). I was REALLY hopeful that was it, because, yes, I did not have that first setting configured (set to Disabled). So I changed it, did a gpupdate /force, waited, and rebooted, waited some more, waited over night, and still no updates. If I run the command to update it, then it does look to the file share and does the update. I just really don't want to run the command to update it. I am very perplexed at what I'm missing. Our devices are managed in our Azure tenant, which is in turn managed by our Security Technical team, so I don't have good visibility into any settings there. Do you think there is a setting there that is overriding this? I know a member of that team made a mention that you can't temporarily disable real - time protection on our devices based on a setting at the Azure tenant level, so I wonder if there's something set there overriding group policy? I just want this to be easy like our other OS's!
Thanks in advance for all the suggestions and help so far. Hoping something sticks soon, unfortunately, Windows 2012r2 is our largest server deployment and I really don't want to manage updating the signatures and engines manually.
